OCPBUGS-83863: Strip debug symbols from Go binaries

[sdodson]

Summary

• Add -s -w to ldflags in GO_BUILD_RECIPE to strip DWARF debug info and symbol tables from the main operator binary
• Fix build-gather-sysinfo and build-performance-profile-creator targets which intended to strip but had a make-vs-shell variable expansion bug ($(LDFLAGS) is expanded by make before the shell runs, so the shell variable set on the previous line was never used)

Impact

The cluster-node-tuning-operator image (617 MB) contains three unstripped Go binaries totaling 195 MB:

• cluster-node-tuning-operator (96.8 MB)
• gather-sysinfo (63.8 MB)
• performance-profile-creator (34.6 MB)

Stripping typically reduces Go binary size by 20-30%, reducing container image pull time during node scale-up.

Test plan

• Verify image builds successfully
• Verify binaries are stripped (file /usr/bin/cluster-node-tuning-operator should show "stripped")
• Verify operator functions correctly

Summary by CodeRabbit

• Chores
  • Updated build configuration to reduce binary sizes and streamline compilation across multiple build targets.
  • Applied the same build optimizations to additional build and test targets to ensure consistent output and faster, smaller artifacts.

[openshift-ci-robot]

@sdodson: This pull request references Jira Issue OCPBUGS-83863, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

• Add -s -w to ldflags in GO_BUILD_RECIPE to strip DWARF debug info and symbol tables from the main operator binary
• Fix build-gather-sysinfo and build-performance-profile-creator targets which intended to strip but had a make-vs-shell variable expansion bug ($(LDFLAGS) is expanded by make before the shell runs, so the shell variable set on the previous line was never used)

Impact

The cluster-node-tuning-operator image (617 MB) contains three unstripped Go binaries totaling 195 MB:

• cluster-node-tuning-operator (96.8 MB)
• gather-sysinfo (63.8 MB)
• performance-profile-creator (34.6 MB)

Stripping typically reduces Go binary size by 20-30%, reducing container image pull time during node scale-up.

Test plan

• Verify image builds successfully
• Verify binaries are stripped (file /usr/bin/cluster-node-tuning-operator should show "stripped")
• Verify operator functions correctly

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f7597fb3-2fde-4d3b-950f-ecdf67582ed0

📥 Commits

Reviewing files that changed from the base of the PR and between 18d9b3b and 486ad19.

📒 Files selected for processing (1)

• Makefile

🚧 Files skipped from review as they are similar to previous changes (1)

• Makefile

---

Walkthrough

The Makefile adds Go linker strip flags (-s -w) to build recipes. The main GO_BUILD_RECIPE and two specialized targets (build-performance-profile-creator, build-gather-sysinfo) now pass -ldflags "-s -w" inline with version injection; cluster-node-tuning-operator-test-ext also adds -ldflags "-s -w".

Changes

Binary size optimization via Go linker flags

Layer / File(s)	Summary
Go linker stripping flags in build recipes Makefile	GO_BUILD_RECIPE, build-performance-profile-creator, build-gather-sysinfo, and cluster-node-tuning-operator-test-ext are updated to include -s -w in Go linker flags; the two specialized targets switch from a LDFLAGS shell variable to inline -ldflags including -s -w and the -X ...=$(REV) version injection.

---

🎯 2 (Simple) | ⏱️ ~10 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❌ Error	PR adds 9 test files with dynamic test names using fmt.Sprintf, e.g., It(fmt.Sprintf("%s set", sysctlVar)) and It(fmt.Sprintf("modules: %s loaded", moduleName)).	Replace fmt.Sprintf test names with static strings. Move dynamic values to test bodies, e.g.: Change It(fmt.Sprintf("%s set", sysctlVar)) to It("should set the sysctl parameter").
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	New test cpu_management.go calls KnownIssueJira() which makes HTTP requests to external https://issues.redhat.com endpoint, failing in disconnected environments.	Wrap external calls with NO_BZ_CHECKS env variable checks or add [Skipped:Disconnected] to test names.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding Go linker stripping flags to reduce binary sizes by removing debug symbols.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Test Structure And Quality	✅ Passed	PR contains only Makefile changes for binary stripping (adding -s -w ldflags); no Ginkgo test code modifications, so test quality check is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. The changes are limited to Makefile modifications for Go binary stripping flags, making this check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only modifies the Makefile to add -s -w debug stripping flags to Go binary builds. No new Ginkgo e2e tests are added, so the SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies Makefile build flags (-s -w ldflags) to strip debug symbols. No scheduling constraints, deployment manifests, or operator code changes introduced.
Ote Binary Stdout Contract	✅ Passed	Linker flags -s -w only strip debug metadata and have no runtime behavior impact; main.go has no stdout writes in process-level code, satisfying OTE Binary Stdout Contract requirements.
No-Weak-Crypto	✅ Passed	PR contains only Makefile changes adding Go linker stripping flags (-s -w); no cryptographic code, weak algorithms, or insecure comparisons present.
Container-Privileges	✅ Passed	PR only modifies Makefile to add Go binary stripping flags (-s -w); no changes to container or K8s manifests that contain privilege configurations.
No-Sensitive-Data-In-Logs	✅ Passed	PR only adds binary stripping flags to Makefile and standard operational logging (version info, error messages). No sensitive data like passwords, tokens, API keys, or PII are logged.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jmencak]

Thank you for the PR, Scott. Do we want to do the same thing for cluster-node-tuning-operator-test-ext? It will grow large soon as we add more tests.

[sdodson]

Good call, done — added -ldflags "-s -w" to the cluster-node-tuning-operator-test-ext build target in the latest commit.

[sdodson]

The gzipped binary is about half as large once stripped.

~ podman run -it --entrypoint /bin/sh `oc adm release info 4.22.0 --image-for cluster-node-tuning-operator`
sh-5.1# dnf install -y binutils
sh-5.1# ls -la cluster-node-tuning-operator*
-rwxr-xr-x. 1 root root 101535656 May 19 16:47 cluster-node-tuning-operator
-rwxr-xr-x. 1 root root  11113396 May 19 16:47 cluster-node-tuning-operator-test-ext.gz
sh-5.1# gzip -d cluster-node-tuning-operator-test-ext.gz 
sh-5.1# strip cluster-node-tuning-operator*
sh-5.1# gzip cluster-node-tuning-operator-test-ext 
sh-5.1# ls -la cluster-node-tuning-operator*
-rwxr-xr-x. 1 root root 72069048 Jun  9 17:48 cluster-node-tuning-operator
-rwxr-xr-x. 1 root root  5684280 Jun  9 17:48 cluster-node-tuning-operator-test-ext.gz

[jmencak]

/retest

[jmencak]

/retest

[jmencak]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jmencak, sdodson

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jmencak]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sdodson]

/verified by CI

[openshift-ci-robot]

@sdodson: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 7fa9ba7 and 2 for PR HEAD 486ad19 in total

[jmencak]

/retest

[openshift-ci]

@sdodson: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@sdodson: Jira Issue OCPBUGS-83863: Some pull requests linked via external trackers have merged:

The following pull request, linked via external tracker, has not merged:

• openshift/multus-cni#285 is open

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-83863 has not been moved to the MODIFIED state.

This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload.

Details

In response to this:

Summary

• Add -s -w to ldflags in GO_BUILD_RECIPE to strip DWARF debug info and symbol tables from the main operator binary
• Fix build-gather-sysinfo and build-performance-profile-creator targets which intended to strip but had a make-vs-shell variable expansion bug ($(LDFLAGS) is expanded by make before the shell runs, so the shell variable set on the previous line was never used)

Impact

The cluster-node-tuning-operator image (617 MB) contains three unstripped Go binaries totaling 195 MB:

• cluster-node-tuning-operator (96.8 MB)
• gather-sysinfo (63.8 MB)
• performance-profile-creator (34.6 MB)

Stripping typically reduces Go binary size by 20-30%, reducing container image pull time during node scale-up.

Test plan

• Verify image builds successfully
• Verify binaries are stripped (file /usr/bin/cluster-node-tuning-operator should show "stripped")
• Verify operator functions correctly

Summary by CodeRabbit

• Chores
• Updated build configuration to reduce binary sizes and streamline compilation across multiple build targets.
• Applied the same build optimizations to additional build and test targets to ensure consistent output and faster, smaller artifacts.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.